Overview
OpenID Connect (OIDC) allows your GitHub Actions workflows to authenticate with Octopus Deploy to push packages, create releases or trigger deployments without storing Octopus Deploy passwords or API keys as long-lived GitHub secrets.
This guide provides an overview of how to configure Octopus Deploy to trust GitHub's OIDC as a federated identity, and includes a workflow example for the octopusdeploy/login action that uses tokens to authenticate to your Octopus Deploy instance.
Prerequisites
-
若要了解 GitHub 如何使用 OpenID Connect (OIDC) 及其体系结构和优势的基本概念,请参阅“OpenID Connect”。
-
在继续之前,必须规划安全策略,以确保仅以可预测的方式分配访问令牌。 要控制云提供商颁发访问令牌的方式,必须至少定义一个条件,以便不受信任的存储库无法为云资源请求访问令牌。 有关详细信息,请参阅“OpenID Connect”。
Adding the identity provider to Octopus Deploy
To use OIDC with Octopus Deploy, first establish a trust relationship between GitHub Actions and your Octopus Deploy instance. For more information about this process, see Using OpenID Connect with the Octopus API in the Octopus Deploy documentation.
- Sign in to your Octopus Deploy instance.
- Create or open the Service Account that will be granted access via the token request.
- Configure a new OIDC Identity, defining the relevant subject that the GitHub Actions workflow token request will be validated against.
Updating your GitHub Actions workflow
To update your workflows for OIDC, you will need to make two changes to your YAML:
- Add permissions settings for the token.
- Use the
OctopusDeploy/loginaction to exchange the OIDC token (JWT) for a cloud access token.
注意
在工作流或 OIDC 策略中使用环境时,建议将保护规则添加到环境中以提高安全性。 例如,可以在环境中配置部署规则,以限制可以部署到环境或访问环境机密的分支和标记。 有关详细信息,请参阅“管理部署环境”。
Adding permissions settings
作业或工作流运行需要使用 id-token: write 的 permissions 设置,以允许 GitHub 的 OIDC 提供者为每个运行创建 JSON Web 令牌。
注意
在工作流权限中设置 id-token: write 不会授予工作流修改或写入任何资源的权限。 这只会允许工作流为某个操作或步骤请求(提取)并使用(设置)OIDC 令牌。 然后,此令牌用于通过生存期较短的访问令牌向外部服务进行身份验证。
有关所需权限、配置示例和高级方案的详细信息,请参阅 OpenID Connect 参考。
Requesting the access token
The OctopusDeploy/login action receives a JWT from the GitHub OIDC provider, and then requests an access token from your Octopus Server instance. For more information, see the OctopusDeploy/login documentation.
The following example exchanges an OIDC ID token with your Octopus Deploy instance to receive an access token, which can then be used to access your Octopus Deploy resources. Be sure to replace the server and service_account_id details appropriately for your scenario.
# 此工作流使用未经 GitHub 认证的操作。
# 它们由第三方提供,并受
# 单独的服务条款、隐私政策和支持
# 文档。
jobs:
create_release_in_octopus:
runs-on: ubuntu-latest
name: Create a release in Octopus
permissions:
# You might need to add other permissions here like `contents: read` depending on what else your job needs to do
id-token: write # This is required to obtain an ID token from GitHub Actions for the job
steps:
- name: Login to Octopus
uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2
with:
server: https://my.octopus.app
service_account_id: 5be4ac10-2679-4041-a8b0-7b05b445e19e
- name: Create a release in Octopus
uses: OctopusDeploy/create-release-action@fe13cc69c1c037cb7bb085981b152f5e35257e1f #v3.2.2
with:
space: Default
project: My Octopus Project
# 此工作流使用未经 GitHub 认证的操作。
# 它们由第三方提供,并受
# 单独的服务条款、隐私政策和支持
# 文档。
jobs:
create_release_in_octopus:
runs-on: ubuntu-latest
name: Create a release in Octopus
permissions:
# You might need to add other permissions here like `contents: read` depending on what else your job needs to do
id-token: write # This is required to obtain an ID token from GitHub Actions for the job
steps:
- name: Login to Octopus
uses: OctopusDeploy/login@34b6dcc1e86fa373c14e6a28c5507d221e4de629 #v1.0.2
with:
server: https://my.octopus.app
service_account_id: 5be4ac10-2679-4041-a8b0-7b05b445e19e
- name: Create a release in Octopus
uses: OctopusDeploy/create-release-action@fe13cc69c1c037cb7bb085981b152f5e35257e1f #v3.2.2
with:
space: Default
project: My Octopus Project